The EUGDPR replaces the Data Privacy Directive 95/46/EC and is designed to harmonize data privacy laws across the European Union (“EU”). The EUGDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in, or transferred out of, the EU, and to regulate entities that offer goods or services in the EU. The EUGDPR defines personal data to include any information related to an identified or identifiable person which may include but is not limited to a name, reference number, identification number, location data, online identifier, email address, IP address, or one or more factors specific to a physical, physiological, genetic, mental, economic, cultural or social identity of a person. Therefore, the EUGDPR has broader protections that U.S. and N.J. laws.

The EUGDPR requires personal data to be processed lawfully, fairly and in a transparent manner, limited only to that data which is necessary, maintained for accuracy, stored only for the length of time required or needed, and safeguarded from unauthorized disclosure.

The legal bases under the EUGDPR which permit Montclair State University to collect and process personal data include but are not limited to the following: 1) the data subject has given consent to the processing for a specific purpose; 2) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; 3) the processing is necessary for compliance with a legal obligation to which the University, as controller of the data, is subject; 4) the processing is necessary in order to protect the vital interests of the data subject or another natural person, 5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University; or 6) processing is necessary for the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the data subject which require protection of the personal data.

The University may be subject to the EUGDPR if it recruits students or employees in the EU, conducts marketing in the EU, participates in student or faculty exchange programs within the EU, conducts fundraising targeted to the EU, conducts research with human subjects in the EU, or engages in other activities within the EU. Therefore, Privacy Notices have been adopted by each affected unit of the University to describe the personal data collected, the applicable legal basis, the purposes for which data is used, safeguards imposed, the retention period, and a point of contact for an individual to exercise his/her rights under the EUGDPR. The University’s Privacy Notices can be found as follows:

Individuals who wish to exercise their rights under the EUGDPR should contact the email identified in the applicable Privacy Notice. In addition, current students may exercise their rights under the EUGDPR by following the process established by the University’s Registrar at: https://www.montclair.edu/policies/student/eugdpr/.

Consent may be recorded by using the on-line form created by the Division of Advancement at: https://montclairconnect.org/consent-form. Another consent template for use in the EU is available and should be modified depending upon the nature of the use. Click the following link to view the consent template: https://www.montclair.edu/policies/university/eugdpr/consent/. Consent to the collection and processing of personal data must be explicit, and individuals must be provided the ability to revoke consent in as easy a manner as consent was given.

The EUGDPR requires the implementation of appropriate data protection measures taking into account the nature, scope, context and purposes of processing. Data protection should be by design and default, using data minimization, pseudonymization and encryption where appropriate, taking into consideration the risks presented by processing, accident or unlawful destruction, loss, alteration, and unauthorized disclosure.

Personal data collected by the University from or within the EU is stored in accordance with the Record Retention Schedule adopted by the State of New Jersey, Department of the Treasury, Division of Revenue and Enterprise Services – Record Management Services that is applicable to 4 Year Colleges and Universities, and other applicable U.S. Laws. The State Record Retention Schedule can be found at: http://www.nj.gov/treasury/revenue/rms/pdf/s510000.pdf. University employees may not destroy records until after a request to destroy is submitted to and approved by the State of New Jersey through Artemis after the applicable retention period expires. You should contact University Counsel at 973/655-5225 to become a user of Artemis and to schedule training.

The EUGDPR includes a protocol for investigating, responding to and reporting the unauthorized disclosure of personal data. Any employee who suspects a data breach should report it to the University Help Desk by contacting: https://www.montclair.edu/oit/tech-solutions-center/help-desk/. The Help Desk will respond by following the University’s Data Breach Response Protocol.